Denial of Service Attack Detection using Multivariate

Correlation Analysis

N Hoque⇤

Department of CSETezpur University

Napaam, Assam-784028tonazrul@gmail.com

D K Bhattacharyya†

Department of CSETezpur University

Napaam, Assam-784028dkb@tezu.ernet.in

J K Kalita‡

Department of ComputerScience,UCCS

University of ColoradoColorado Springs

jkalita@uccs.edu

ABSTRACTDenial of Service (DoS)/ DDoS attack is a common andsevere problem for network security researchers and practi-tioners. Attackers often generate attack tra�c that behavessimilar to normal network tra�c using sophisticated attack-ing tools. Many intrusion detection systems fail to detectanomalous packets in real time. In this paper, we use aMultivariate Correlation Analysis (MCA) approach to dis-tinguish attack tra�c from normal tra�c. This statisticalmeasure is used to analyze the behavior of network tra�c forattack detection. Since DDoS attack tra�c behaves di↵er-ently from legitimate network tra�c, statistical properties ofvarious parameters reflect the changed behavior of networktra�c. We extract three basic parameters of network traf-fic, viz., entropy of source IPs, variation of source IPs andpacket rate to analyze the behavior of network tra�c dur-ing attack detection. The method is validated using severalbenchmark datasets.

CCS Concepts•Security and privacy ! Denial-of-service attacks;Network security;

KeywordsMultivariate Correlation Analysis; Denial of Service; Dis-tributed Denial of Service; Mahalanobis distance

1. INTRODUCTION⇤Nazrul Hoque, Department of CSE, Tezpur University, Na-paam, Assam†Dhruba Kumar Bhattacharyya, Department of CSE,Tezpur University, Napaam, Assam‡Jugal Kumar Kalita, Department of Computer Sci-ence,UCCS, USA

Permission to make digital or hard copies of all or part of this work for personal orclassroom use is granted without fee provided that copies are not made or distributedfor profit or commercial advantage and that copies bear this notice and the full cita-tion on the first page. Copyrights for components of this work owned by others thanACM must be honored. Abstracting with credit is permitted. To copy otherwise, or re-publish, to post on servers or to redistribute to lists, requires prior specific permissionand/or a fee. Request permissions from permissions@acm.org.

ICTCS ’16, March 04-05, 2016, Udaipur, Indiac� 2016 ACM. ISBN 978-1-4503-3962-9/16/03. . . $15.00

DOI: http://dx.doi.org/10.1145/2905055.2905159

Anomaly detection in modern computer systems and net-works is very challenging for network security researchersand practitioners. The complexity and frequency of occur-rence of network anomalies or attacks are growing in paral-lel with the rapid development of the Internet and computernetworks. A significant number of network security tools areavailable on the Internet to generate network attacks as wellas to defend and analyze network attacks [11]. Attackersare able to use tools to generate attack tra�c that behavessimilarly to normal network tra�c so that an anomaly de-tection system has di�culty in determining such tra�c asanomalous. Network intrusion detection systems fall intotwo categories, viz., misuse detection and anomaly detec-tion. Misuse detection, also referred to as signature-baseddetection, detects only known attacks if the tra�c patternmatches already created attack signatures. On the otherhand, anomaly detection generates a profile for the normalnetwork tra�c and if the observed network tra�c profiledeviates from the normal profile significantly, the tra�c ismarked anomalous. People use a variety of methods such asstatistical, soft computing, data mining and machine learn-ing to generate normal profile for network tra�c analysis [2][10]. In statistical approaches, class discriminant featuresare analyzed using di↵erent techniques to know the behav-ior of network tra�c. In this paper, we use MultivariateCorrelation Analysis (MCA) using three distinct attributes,viz., entropy of source IPs, variation index of source IPs andpacket rate to identify anomalous tra�c in near real-time.

1.1 MotivationIt is very common to use statistical measures such as

mutual information, entropy, Principal Components Anal-ysis (PCA) and similarity or distance measures to detectanomaly patterns in network tra�c. During network tra�canalysis, statistical analysis of individual tra�c parametersor attributes often misleads anomaly detection and henceraises false alarms. In addition, the attacker always tries toevade the detection mechanism by generating attack tra�cin such a way that the tra�c behaves similarly to the nor-mal tra�c. Hence, in this paper, we exploit multivariatecorrelation analysis among three crucial features of networkpackets to detect all classes of DDoS attacks.

1.2 ContributionThe main contribution of this paper is twofold. First,

we extract three distinct features from the network tra�c,viz., entropy of source IPs, variation index of source IPs

and packet rate. We use multivariate correlation analysison these attributes and use Mahalanobis distance to gen-erate a normal profile. Finally, we create a test profile foreach incoming tra�c instance, and if the test profile deviatesfrom a user defined threshold ↵, we mark the observed tra�canomalous. We validate our method using three datasets,viz., (i) CAIDA DDoS 2007 (ii) KDD CUP 99 and (iii) TU-IDS.

2. RELATED WORKResearchers have used statistical techniques such as corre-

lation [4], entropy [21], and information gain [15] for analysisof tra�c to detect network anomalies. Many intrusion detec-tion systems such as STAT [16] and Haystack [16] are builtusing statistical approaches. Ye et al. [22] apply Hotelling’sT 2 test to detect two types of anomalies, (i) counter rela-tionship anomalies and (ii) mean-shift anomalies. They usemultivariate statistical analysis to detect anomalies by gen-erating profile for normal tra�c and use the normal profilefor anomaly detection. The method is validated on small aswell as large multi-day datasets, and in large datasets themethod shows zero false alarm on normal tra�c. A novelanomaly detection scheme based on Principle ComponentsAnalysis is proposed by Shyu et al. [18]. They apply PCAon the correlation matrix of normal tra�c and use Maha-lanobis distance metric to measure distances among tra�cinstances. The PCA based classifier consists of a major com-ponent score that detects extreme observations with largevalues on selected original features and a minor componentscore that helps in detection of observations that do notconform to the normal correlation structure.

A method called Kernel-based Online Anomaly Detection(KOAD) is proposed by Ahmed et al. [1]. The algorithmincrementally constructs and maintains a dictionary of in-put vectors that define the region of normal behavior. Asnew tra�c arrives, the dictionary is updated. This algo-rithm works sequentially and detects anomaly in real time.Feinstein et al. [5] present a method to detect DDoS attacksusing entropy and packet attribute distributions. Entropyis computed on each network tra�c sample. They observethat entropy values fall in a narrow range when the networkis not under attack. But during an attack period, entropyvalues exceed the range in a detectable manner. Santiago-Paz et al. [17] propose a method based on entropy to clas-sify anomalous tra�c in an enterprise network. They applyMahalanobis distance to describe an ellipse that character-izes network entropy which allows to determine whether agiven actual tra�c-slot is normal or anomalous. Kashyapand Bhattacharyya [12] describe a victim end DDoS defensemechanism. They select a set of most relevant features forDDoS detection and classify the anomalous tra�c using anumber of popular classifiers: C4.5, Naive Bayes, BayesianNetwork, Reduced Error Pruning Tree (REPTree), SVM (2-class) and KNN algorithm. In addition to these, many otherDDoS attacks detection approaches, methods and tools havebeen introduced in the past decades [9].

2.1 DiscussionEven though a significant number of anomaly-based DDoS

attack detection techniques have been introduced, many is-sues remain to be addressed. The following are our obser-vations on DDoS attack detection.

Figure 1: Framework of the proposed method

1. To provide real time detection, a DDoS detection mech-anism must use a few relevant features only. Hence,quick selection or extraction of most relevant featuresfrom network tra�c for attack detection is important.

2. Most DDoS detection mechanisms are dependent onmultiple user defined thresholds and performance ofsuch mechanisms is highly influenced by these thresh-olds. Such thresholds need to be updated dynamicallyto cope with changes in a network.

3. Most victim-end detection systems are not cost e↵ec-tive, and cannot provide real-time performance.

We develop a method based on multivariate correlation anal-ysis using a small number of attributes to distinguish theDDoS attack tra�c from legitimate tra�c in near real timewith a low rate of false alarm.

3. PROPOSED METHODThe detection approach consists of three steps, viz., (i)

sampling of network tra�c into multiple time windows (ii)computing entropy of source IPs, variation index of sourceIPs and packet rate for each window, and (iii) analyzingcorrelation among source IPs, variations of source IPs andpacket rate for each time window. To find correlation amongmultiple features, we use Multivariate Correlation Analysis(MCA) [20]. MCA uses a triangular area map generationmodule to extract correlation between any two distinct fea-tures. It computes correlation among all extracted featuresand stores them in a triangular format. Using these correla-tion values, a normal profile is generated during the trainingperiod. Similarly, a test profile will be generated for the ob-served tra�c during the testing period. If the deviationbetween normal and observed tra�c is greater than a cer-tain threshold value, an alarm will be generated indicatingthat an attack has occurred. A framework of the proposedmethod is shown in Figure 1. The proposed method assumesthe following.Assumption 1: If the entropy of source IPs is very high andthe packet rate is also very high, the attack probability ishigh.Assumption 2: If variations among source IPs are very highand the packet rate is also high, the attack probability ishigh.We use MCA to analyze the behavior of various features

of a network packet. Most statistical DDoS attack detec-tion methods use correlation. These methods compute cor-relation, distance or similarity among packets during attack

Table 1: Symbols Used and their meaningSymbols MeaningEsip entropy of source IPsV sip variation of source IPsPrate packet ratefi ith featureOi object/instance number iMD mahalanobis distance

meanMD mean mahalanobis distanceSD standard deviation

Normalmat triangular matrix for normal samplesNormalTmat transpose of Normalmat

detection. Unfortunately, many network security tools cangenerate network tra�c that behaves very similarly to nor-mal network tra�c. In such situations, the correlation, dis-tance or similarity between a normal tra�c instance andan attack tra�c instance will be very high and as a resultthe detection method may fail. To handle this situation,we use MCA to compute correlation among various featuresof a network packet and these correlation values are used tocompute the distance or similarity between instances. To de-scribe the algorithm, symbols and notations used are givenin Table 1.

3.1 AlgorithmData: Samples of network tra�c in 1 second windows

Result: Attack samples

Step 1:

for each sample Si, i = 1, 2, · · · , n, docompute Esip, Vsip, Prate

end

Oi = {Esipi, V sipi, ratei}Step2:

for each object Oi do

for each feature fi, fj 2 F do

Compute correlation corr(fi, fj) =

|fi|⇥|fj |2

end

Store the upper or lower triangle of the correlation matrix

as Normali.end

Normalmat = {Normali}, where, i = 1, 2, · · · , nNormalTmat =

Pni=1 Normali

n

Compute MD between Normalmat and NormalTmatCompute meanMD and Standard deviation (SD)

Step 3:

for each test object Ot do

Compute correlation matrix NormaltCompute MDOt

if ((meanMD + SD)/(MDOt � SD) � ↵) then

attack

else

Normal

end

end

3.2 Pre-processingWe use the CAIDA dataset [7] to evaluate the performance

of the proposed method. We use one hour trace data inthe CAIDA 2007 DDoS dataset. The dataset contains rawdata with several features. However, working with the entiretrace data and/or several features is very tedious. Therefore,we sample the dataset into multiple time windows of 1 seceach and use only three important features, viz., entropy ofsource IPs, variation index of source IPs and packet rate ofa window.

3.3 Feature Extraction ModuleFeature selection is an important pre-processing step for

network tra�c classification. One can use mutual informa-tion [8], correlation [23], rough sets [19] or fuzzy sets[14]for feature selection and extraction. A real time anomalydetection system captures raw-network tra�c from the net-work interface and analyzes this tra�c. However, analysisof raw network tra�c is not only di�cult but also time con-suming because a network packet contains both header andpayload information. Besides, all fields of packet header arenot equally important for analyzing a packet. Hence, we useonly a few important features from network tra�c for at-tack detection. In particular, in our experiment we extractthree features, viz., entropy of source IPs, variation index ofsource IPs and packet rate from the CAIDA dataset, afterfirst splitting the dataset into multiple time windows. Tosplit the dataset we use the editcap command and then thetshark command, with the required option fields. A scriptwritten in C is used to calculate the entropy of source IPs,variation among source IPs and packet rate.

3.4 Entropy and Variation Index of Source IPsNetwork tra�c analysis is performed to detect malicious

tra�c running through a network. During tra�c analy-sis, one considers either packet header information alone orpacket header and raw data information together. In bothschemes, TCP packet or IP packet header fields are ana-lyzed to detect network level anomalies. Source IP, sourceport, destination IP, destination port, protocols, and flagsof the TCP header are very useful to detect anomaly behav-ior of a network packet. We calculate entropy and variationamong source IPs and packet rate for each sample tra�c.Entropy of source IPs for each sample tra�c is calculatedusing Equation (1).

H(x) = �nX

i

P (xi) log2 p(xi) (1)

where x is a random variable representing source IPs andn is the total number of possible values for the source IP.Variation among source IPs is the rate of change of IP ad-dresses w.r.t time. If the IP address changes frequently, thevariation will be high. We compute entropy of source IPs,variation among source IPs and the packet rate for each net-work tra�c sample. Observation of the behavior of high rateDDoS flooding attacks shows that flooding attacks can begenerated by real attackers as well as zombies. If spoofedsource IP addresses are used during attack generation, theentropy of source IPs will be very low, but the variation ofsource IPs w.r.t time window will be very high. As a result,the variation of source IPs and packet rates to a particulardestination IP will have high correlation during attack detec-tion. On the other hand, if the source IP is a real IP, duringattack generation only certain IP addresses will send attackpackets to the victim and hence, the entropy of such sourceIPs as well as packet rates to the victim will also be veryhigh. In Figures 2(a) and 2(b), we show the variations ofsource IPs for normal and attack tra�c, respectively. Simi-larly the entropy of source IPs for normal and attack tra�cis shown in Figures 3(a) and 3(b), respectively.

3.5 Normal profile generation using Mahalanobisdistance

(a) IP variation for normal tra�c

(b) IP variation for attack tra�c

Figure 2: Variation of source IPs between normaland attack tra�c

Table 2: Objects listobject f1 f2 f3O1 3.67 1.78 59O2 6.34 1.69 45

For anomalies of network tra�c we first consider normalnetwork tra�c, which is assumed to be attack free and gen-erate normal profile using Mahalanobis distance [20]. Thenormal profile contains two parameters, viz., mean Maha-lanobis distance and standard deviation of the normal in-stances. For each sample tra�c we create an object withthree parameters, namely entropy of source IPs, variation ofsource IPs and packet rate. For each normal object, we cal-culate correlation between any two distinct parameters andstored the correlation value in a matrix. Let us consider ascenario for an instance O1 and O2 with the following pa-rameters as given in Table 2.The correlation between every pair of features is shown inTable 3. Each cell in the table represents the feature fea-ture correlation value. Now, generate Normalmat by stor-ing the upper or lower triangular matrix of an object Oi,8i 2 n and compute the mean of NormalTmat. From thegenerated Normalmat and NormalTmat compute mean Ma-halanobis distance using the following formula 2.

(a) Source IP entropy for normal tra�c

(b) Source IP entropy for attack tra�c

Figure 3: Entropy of source IPs between normal andattack tra�c

Table 3: Correlation values among parametersFor O1 For O2

f1 f2 f3 f1 f2 f3f1 0 3.27 108.27 0 5.36 142.65f2 3.27 0 52.51 5.36 0 38.02f3 108.27 52.51 0 142.65 38.02 0

MD(Normalmat) =

pR ⇥ S�1 ⇥ T (2)

where, R=(Normalmat �NormalTmat)0

T=(Normalmat � NormalTmat), S is the covariance matrixcomputed from Normalmat and NormalTmat. MeanMD isthe mean Mahalanobis distance for all normal instance. Thestandard deviation SD for Normalmat is computed usingthe following equation 3.

SD =

vuut 1n

nX

i=1

(Normalimat �NormalTmat)2 (3)

In testing period, for each test instance Ot, we computethe Mahalanobish distance between Testimat andNormalTmat

using equation 2. If observe Mahalanobis distance i.e., MDobserveholds the following equation 4 then the instance is a normalinstance otherwise the instance is marked as an attack in-stance.

|meanMD �MDobserve| >= ↵ (4)

3.6 Complexity AnalysisThe first step of our algorithm extracts features from sam-

ples of network tra�c. The complexity of feature extractionis O(n⇥d), where n is the total number of instances in a timewindow and d is the dimension of each instance. To computecorrelation among multiple features of the instances requiresO(d ⇥ d) time. Next, the method takes O(m ⇥ n) times tocompute Mahalanobis distance among n instances where mis the number of elements in an instance. Thus total com-plexity of the method is O(n ⇥ d) + O(d ⇥ d) + O(m ⇥ n).Since, n >> d and also n >> m, the complexity is O(n).

4. EXPERIMENTAL RESULTThe experiment was carried out on a workstation with 12

GB main memory, 2.26 Intel(R) Xeon processor and 64-bitWindows 7 operating system. We implement our algorithmusing MATLAB R2008a software. To validate the detec-tion method we use three network intrusion datasets, viz.,CAIDA DDoS 2007 [7], KDD CUP 99 [3] and TUIDS [6].The performance of our method in terms of ROC curves isshown in Figures 4, 5 and 6 for CAIDA, TUIDS and KDDCUP 99, datasets respectively.

Figure 4: ROC curve for CAIDA DDoS dataset

4.1 Result Analysis

Figure 5: ROC curve for TUIDS dataset

Figure 6: ROC curve for KDD CUP dataset

Experimental results are plotted in three ROC curves forthe three datasets, viz., CAIDA, TUIDS and KDD CUP99. In the ROC curve of the CAIDA dataset, shown inFigures 4, we observe that detection rate is very high i.e.,98.8% to 99.6% with low false positive rates. Figure 5 showsdetection rate between 86%-98% for the TUIDS dataset andfinally we observe 60% to 98.85% detection accuracy on theKDD CUP 99 dataset. Though the proposed method giveshigh detection accuracy and low false positive rates for theCAIDA and TUIDS datasets, it shows low detection rateand high false positive rate for the KDD CUP 99 dataset,as shown in Figure 6.

4.2 Comparison with existing worksIn comparison to the MCA-based triangular area method

proposed by Tan et al. [20], our method gives better perfor-mance on KDD CUP 99 dataset. Our method gives 98.85%detection rate with 0.015% false positive rate whereas theMCA-based method gives 95.11% detection rate with 1.26%false positive rate. Moreover, our method gives higher detec-tion rate as compared to NFBoost with Cost Minimizationmethod [13] that gives 98.2% detection rate with 1.7% falsepositive rate.

4.3 DiscussionThe proposed DoS/DDoS detection method detects at-

tacks based on the deviation of the attack profile from thenormal profile. The method detects attacks when the devia-tion is greater than a user defined threshold value ↵. In ourexperiment, we use di↵erent values of ↵ to detect attacksand we observe that the value of ↵ should be in the range of0.1 to 1. Performance of the method depends on the correctvalue ↵, which is very di�cult to predict. So, detection us-ing dynamic threshold is better than using static thresholdvalues.

4.4 Conclusion and Future WorkIn this paper we describe a DoS/DDoS attack detection

method using multivariate correlation analysis. The methoduses a Triangular Area Matrix (TAM) to store correlationvalues among the features. We split the original networktra�c into multiple time windows, preprocess the captureddata and then extract three features, viz., entropy of sourceIPs, variation index of source IPs and packet rate from eachtime sample. We generate a normal profile from the nor-

mal data during the training period and a test profile fromthe testing samples during the testing period. If the testprofile deviates from the normal profile with a value greaterthan the threshold value, an attack is declared. The methodshows high detection accuracy for the CAIDA and TUIDSdatasets. As future work, we want to apply multivariatecorrelation method to detect low-rate DDoS attack using asupervised learning method

5. ACKNOWLEDGMENTSThis work is supported by Ministry of Human Resource

Development, under the FAST proposal scheme and UGC,Government of India under SAP Level-II. The authors arethankful to both the funding agencies.

6. REFERENCES[1] T. Ahmed, M. Coates, and A. Lakhina. Multivariate

online anomaly detection using kernel recursive leastsquares. In INFOCOM 2007. 26th IEEE InternationalConference on Computer Communications. IEEE,pages 625–633. IEEE, 2007.

[2] D. K. Bhattacharyya and J. K. Kalita. Networkanomaly detection: A machine learning perspective.CRC Press, 2013.

[3] K. Cup. Data. knowledge discovery in databases darpaarchive, 1999.

[4] F. Cuppens, F. Autrel, A. Miege, and S. Benferhat.Correlation in an intrusion detection process. Ininternet security communication workshop (SECI’02),pages 153–172, 2002.

[5] L. Feinstein, D. Schnackenberg, R. Balupari, andD. Kindred. Statistical approaches to ddos attackdetection and response. In DARPA InformationSurvivability Conference and Exposition, 2003.Proceedings, volume 1, pages 303–314. IEEE, 2003.

[6] P. Gogoi, M. H. Bhuyan, D. Bhattacharyya, and J. K.Kalita. Packet and flow based network intrusiondataset. In Contemporary Computing, pages 322–334.Springer, 2012.

[7] P. Hick, E. Aben, K. Cla↵y, and J. Polterock. Thecaida ddos attack 2007 dataset, 2007.

[8] N. Hoque, D. Bhattacharyya, and J. Kalita. Mifs-nd:A mutual information-based feature selection method.Expert Systems with Applications, 41(14):6371–6385,2014.

[9] N. Hoque, D. K. Bhattacharyya, and J. K. Kalita.Botnet in ddos attacks: Trends and challenges.Communications Surveys & Tutorials, IEEE,17(4):2242–2270.

[10] N. Hoque, D. K. Bhattacharyya, and J. K. Kalita.FFSc: a novel measure for low-rate and high-rateDDoS attack detection using multivariate dataanalysis. Security and Communication Networks, 2016.

[11] N. Hoque, M. H. Bhuyan, R. Baishya,D. Bhattacharyya, and J. Kalita. Network attacks:Taxonomy, tools and systems. Journal of Network andComputer Applications, 40(1):307–324.

[12] H. J. Kashyap and D. Bhattacharyya. A ddos attackdetection mechanism based on protocol specific tra�cfeatures. In Proceedings of the Second InternationalConference on Computational Science, Engineering

and Information Technology, pages 194–200. ACM,2012.

[13] P. A. R. Kumar and S. Selvakumar. Detection ofdistributed denial of service attacks using an ensembleof adaptive and hybrid neuro-fuzzy systems. ComputerCommunications, 36(3):303–319, 2013.

[14] H.-M. Lee, C.-M. Chen, J.-M. Chen, and Y.-L. Jou.An e�cient fuzzy classifier with feature selectionbased on fuzzy entropy. Systems, Man, andCybernetics, Part B: Cybernetics, IEEE Transactionson, 31(3):426–432, 2001.

[15] W. Lee and D. Xiang. Information-theoretic measuresfor anomaly detection. In Security and Privacy, 2001.S&P 2001. Proceedings. 2001 IEEE Symposium on,pages 130–143. IEEE, 2001.

[16] P. Ning and S. Jajodia. Intrusion detection techniques.The Internet Encyclopedia, 2003.

[17] J. Santiago-Paz, D. Torres-Roman, andP. Velarde-Alvarado. Detecting anomalies in networktra�c using entropy and mahalanobis distance. InElectrical Communications and Computers(CONIELECOMP), 2012 22nd InternationalConference on, pages 86–91. IEEE, 2012.

[18] M.-L. Shyu, S.-C. Chen, K. Sarinnapakorn, andL. Chang. A novel anomaly detection scheme based onprincipal component classifier. Technical report, DTICDocument, 2003.

[19] R. W. Swiniarski and A. Skowron. Rough set methodsin feature selection and recognition. Patternrecognition letters, 24(6):833–849, 2003.

[20] Z. Tan, P. Nanda, R. P. Liu, A. Jamdagni, and X. He.A system for denial-of-service attack detection basedon multivariate correlation analysis. IEEETransactions on Parallel and Distributed Systems,99(1):1, 2013.

[21] G. Thatte, U. Mitra, and J. Heidemann. Parametricmethods for anomaly detection in aggregate tra�c.IEEE/ACM Transactions on Networking (TON),19(2):512–525, 2011.

[22] N. Ye, S. M. Emran, Q. Chen, and S. Vilbert.Multivariate statistical analysis of audit trails forhost-based intrusion detection. Computers, IEEETransactions on, 51(7):810–820, 2002.

[23] L. Yu and H. Liu. Feature selection forhigh-dimensional data: A fast correlation-based filtersolution. In ICML, volume 3, pages 856–863, 2003.